New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Not me :P
Well, some people does the DROP all policy, and then allow each port one by one. I am too lazy for this xD
I do that. Drop all, allow ports serving to the public one by one, and whitelist my own IPs for SSH etc.
http://www.lowendtalk.com/discussion/comment/77516#Comment_77516
when running a MySQL bound to public ip address you can add
and if you don't default to drop/reject consider adding
-A INPUT -p tcp --dport 3306 -j DROP
So do I.
@Deor, you may find some interesting sample rules here: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
apt-get remove iptables
Ha,
yum install iptables
Any reason why you would be un-installing iptables there William?
I prefer different software, iptables is not reliable at higher PPS.
@William - which one?
Yeah, I'm interested to hear about this also.
pf, along with kfreebsd kernel.
Bah, maybe for high bw routers and stuff, it is hardly the case for the regulars here
Personally I dont block anything, I also allow ssh on 22, just make sure software is reasonably up to date and not very new. Running squeeze means both conditions are met with relative ease.
Better to not have your back-end listen to the internet than having to do iptables to limit access, unless you need to.
AFAIK, never been rooted on a VPS.
M
P.S. Also, another golden rule: keep your surface small, meaning run only what you need to, disable any unnecessary compilers after you used them and dont install if you dont use, for example.
Interesting stuff guys, thanks for the input.
So my question now is what are the risks of not running a firewall on your VPS that has a public ip address directly on the internet?
Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?
Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.
Anything that listens on a port can be a way into your server(or connects out from your server). Other than that nothing so my advice is change the default ssh port, install fail2ban, make sure your web server is properly configured/secured, obviously don't run them under root, and make sure everything else is good
Instead of raw iptables you can use ufw.
I'm to lazy to write custom scripts so I've excel file with all our servers, their IPs and ports and I'm using it to generate firewalls.
Beside that "less is more" - less potential access methods more secure
I've mainly used Firehol to configure iptables, but was testing UFW the other day too. Both seem to do a good job, but the problem i had was getting things like PPTPd to work as you need to add specific rules and forwards and i just couldnt get either tool to do it.
Anyway, its always good to understand a bit more about whats going on behind the tools i think
I run pop, but I firewall it and access it thru ssh.
Could always make it listen to lo only, then.
M
Listening TCP ports:
netstat -ltn
And UDP ports:
netstat -lun
"0.0.0.0" means listening on all interfaces, including your public one.
For services that only you access, use iptables to restrict access to a specific IP or IPs or network range with iptables.
netstat -ltn
And UDP ports:
netstat -lun
Nice, thanks mate
And i guess you could do that with any service like exim and mysql. Nice tip
Not for services (pop) run from inetd